angr 9.2.141__py3-none-manylinux2014_x86_64.whl → 9.2.142__py3-none-manylinux2014_x86_64.whl

angr/analyses/reaching_definitions/function_handler_library/stdlib.py

@@ -7,7 +7,7 @@ import claripy
 from angr.analyses.reaching_definitions.function_handler import FunctionCallDataUnwrapped, FunctionHandler
 from angr.knowledge_plugins.key_definitions.atoms import Atom
 from angr.knowledge_plugins.key_definitions.live_definitions import DerefSize
-
+from angr.knowledge_plugins.key_definitions.definition import Definition
 
 if TYPE_CHECKING:
     from angr.analyses.reaching_definitions.rd_state import ReachingDefinitionsState
@@ -75,7 +75,7 @@ class LibcStdlibHandlers(FunctionHandler):
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_calloc(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         nmemb = state.get_concrete_value(data.args_atoms[0]) or 48
-        size = state.get_concrete_value(data.args_atoms[0]) or 1
+        size = state.get_concrete_value(data.args_atoms[1]) or 1
         heap_ptr = state.heap_address(state.heap_allocator.allocate(nmemb * size))
         data.depends(state.deref(heap_ptr, nmemb * size), value=0)
         data.depends(data.ret_atoms, value=heap_ptr)
@@ -84,18 +84,51 @@ class LibcStdlibHandlers(FunctionHandler):
     def handle_impl_getenv(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         name_atom = state.deref(data.args_atoms[0], DerefSize.NULL_TERMINATE)
         name_value = state.get_concrete_value(name_atom, cast_to=bytes)
-        if name_value is not None:
-            name_value = name_value.strip(b"\0").decode()
+        length = 2
+        heap_value = None
+
         data.depends(None, name_atom)
 
         # store a buffer, registering it as an output of this function
         # we store this two-byte mixed value because we don't want the value to be picked up by get_concrete_value()
         # but also it should be able to be picked up by NULL_TERMINATE reads
-        heap_ptr = state.heap_allocator.allocate(2)
-        heap_atom = state.deref(heap_ptr, 2)
-        heap_value = claripy.BVS("weh", 8).concat(claripy.BVV(0, 8))
-        data.depends(heap_atom, EnvironAtom(2, name_value), value=heap_value)
-        data.depends(data.ret_atoms, value=state.heap_address(heap_ptr))
+        heap_atom = None
+        env_atom = None
+        heap_ptr = None
+        sources = []
+        if name_value is not None:
+            name_value = name_value.strip(b"\0").decode()
+            for env_atom, env_value in state.others.items():
+                if not isinstance(env_atom, EnvironAtom) or env_atom.name != name_value:
+                    continue
+
+                # There exists an environment variable with this name
+                heap_value = env_value
+                length = env_atom.size
+                heap_ptr = state.heap_allocator.allocate(length)
+                heap_atom = state.deref(heap_ptr, length)
+                break
+
+            else:
+                heap_value = None
+
+        if name_value is None or heap_value is None or heap_atom is None or env_atom is None:
+            heap_ptr = state.heap_allocator.allocate(length)
+            heap_atom = state.deref(heap_ptr, length)
+            heap_value = claripy.BVS("weh", 8)
+            env_atom = EnvironAtom(length, name_value)
+            if heap_atom is not None:
+                heap_value = state.annotate_with_def(heap_value, Definition(heap_atom, state.codeloc))
+            heap_value = heap_value.concat(claripy.BVV(0, 8))
+            data.depends(env_atom, value=heap_value)  # Puts the env_atom in the others dict
+
+        data.depends(heap_atom, env_atom, value=heap_value)
+        sources = [heap_atom, env_atom]
+        if name_atom is not None:
+            sources.append(name_atom)
+
+        value = state.heap_address(heap_ptr) if heap_ptr is not None else state.top(state.arch.bits)
+        data.depends(data.ret_atoms, *sources, value=value)
 
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_setenv(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
@@ -107,9 +140,9 @@ class LibcStdlibHandlers(FunctionHandler):
 
         src_atom = state.deref(data.args_atoms[1], DerefSize.NULL_TERMINATE)
         src_value = state.get_values(src_atom)
-        data.depends(
-            EnvironAtom(len(src_value) // 8 if src_value is not None else 1, name_value), src_atom, value=src_value
-        )
+
+        env_atom = EnvironAtom(len(src_value) // 8 if src_value is not None else 1, name_value)
+        data.depends(env_atom, src_atom, value=src_value)
 
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_system(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):

angr/analyses/reaching_definitions/function_handler_library/string.py

@@ -1,8 +1,10 @@
 from __future__ import annotations
 import archinfo
+import claripy
 from angr.analyses.reaching_definitions.function_handler import FunctionCallDataUnwrapped, FunctionHandler
 from angr.analyses.reaching_definitions.rd_state import ReachingDefinitionsState
 from angr.knowledge_plugins.key_definitions.live_definitions import DerefSize
+from angr.knowledge_plugins.key_definitions.live_definitions import MultiValues
 
 # pylint: disable=no-self-use,missing-class-docstring,unused-argument
 
@@ -12,16 +14,26 @@ class LibcStringHandlers(FunctionHandler):
     def handle_impl_strcat(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         src0_atom = state.deref(data.args_atoms[0], DerefSize.NULL_TERMINATE)
         src1_atom = state.deref(data.args_atoms[1], DerefSize.NULL_TERMINATE)
-        src0_value = state.get_values(src0_atom)
-        src1_value = state.get_values(src1_atom)
+        src0_value = state.get_values(src0_atom) if src0_atom is not None else None
+        src1_value = state.get_values(src1_atom) if src1_atom is not None else None
+
         if src0_value is not None and src1_value is not None:
             src0_value = src0_value.extract(0, len(src0_value) // 8 - 1, archinfo.Endness.BE)
             dest_value = src0_value.concat(src1_value)
             dest_atom = state.deref(data.args_atoms[0], len(dest_value) // 8, endness=archinfo.Endness.BE)
+        elif src0_value is not None:
+            src0_value = src0_value.extract(0, len(src0_value) // 8 - 1, archinfo.Endness.BE)
+            top_val = state.top(state.arch.bits)
+            if src1_atom is not None:
+                for defn in state.get_definitions(src1_atom):
+                    top_val = state.annotate_with_def(top_val, defn)
+            dest_value = src0_value.concat(MultiValues(top_val))
+            dest_atom = state.deref(data.args_atoms[0], len(dest_value) // 8, endness=archinfo.Endness.BE)
         else:
             dest_value = None
             dest_atom = src0_atom
-        data.depends(dest_atom, src0_atom, src1_atom, value=dest_value)
+        if src0_atom is not None and src1_atom is not None:
+            data.depends(dest_atom, src0_atom, src1_atom, value=dest_value)
         data.depends(data.ret_atoms, data.args_atoms[0], value=src0_value)
 
     handle_impl_strncat = handle_impl_strcat
@@ -29,39 +41,76 @@ class LibcStringHandlers(FunctionHandler):
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_strlen(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         src_atom = state.deref(data.args_atoms[0], DerefSize.NULL_TERMINATE)
-        src_str = state.get_values(src_atom)
-        if src_str is not None:
-            data.depends(data.ret_atoms, src_atom, value=len(src_str) // 8 - 1)
+        if src_atom is not None:
+            src_str = state.get_values(src_atom) if src_atom is not None else None
+            if src_str is not None:
+                data.depends(data.ret_atoms, src_atom, value=len(src_str) // 8 - 1)
+            else:
+                data.depends(data.ret_atoms, src_atom)
         else:
-            data.depends(data.ret_atoms, src_atom)
+            data.depends(data.ret_atoms, data.args_atoms[0])
 
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_strcpy(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         src_atom = state.deref(data.args_atoms[1], DerefSize.NULL_TERMINATE)
-        src_str = state.get_values(src_atom)
-        if src_str is not None:
-            dst_atom = state.deref(data.args_atoms[0], len(src_str) // 8)
+        src_str = state.get_values(src_atom) if src_atom is not None else None
+        if src_str is None:
+            src_str = state.top(state.arch.bits)
+            if src_atom is not None:
+                for defn in state.get_definitions(src_atom):
+                    src_str = state.annotate_with_def(src_str, defn)
+            src_str = MultiValues(src_str)
+
+        dst_atom = state.deref(data.args_atoms[0], len(src_str) // 8)
+        if src_atom is not None:
             data.depends(dst_atom, src_atom, value=src_str)
         data.depends(data.ret_atoms, data.args_atoms[0], value=state.get_values(data.args_atoms[0]))
 
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_strncpy(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         n = state.get_concrete_value(data.args_atoms[2])
-        src_atom = state.deref(data.args_atoms[1], DerefSize.NULL_TERMINATE if n is None else n)
-        src_str = state.get_values(src_atom)
-        if src_str is not None:
+        src_atom = state.deref(data.args_atoms[1], DerefSize.NULL_TERMINATE)
+        src_str = state.get_values(src_atom) if src_atom is not None else None
+        if src_str is None and src_atom is not None:
+            tmp_atom = state.deref(data.args_atoms[1], 1)
+            if tmp_atom is not None:
+                tmp_str = state.get_values(tmp_atom)
+                val_defns = None if tmp_str is None else state.get_definitions(tmp_str)
+                if tmp_str is None or not val_defns:  # There's no data at all or no valid definitions
+                    src_str = state.top(state.arch.bits if n is None or n > state.arch.bytes else n * 8)
+                    defns = state.get_definitions(src_atom) if src_atom is not None else []
+                    for defn in defns:
+                        src_str = state.annotate_with_def(src_str, defn)
+                    src_str = MultiValues(src_str)
+                else:  # We found some data, but it's not NULL_TERIMINATED or of size n
+                    src_atoms = set()
+                    for defn in val_defns:
+                        a = defn.atom
+                        a.size = a.size if n is None or a.size < n else n
+                        src_atoms.add(a)
+                    src_str = state.get_values(src_atoms)
+
+        elif n is not None and src_str is not None and n < len(src_str) // 8:
+            # We have a src_str, but need to truncate it if n is not None and less than the size of src_str
+            src_atom = state.deref(data.args_atoms[1], n)
+            if src_atom is not None:
+                src_str = state.get_values(src_atom)
+
+        if src_str is not None and src_atom is not None:
             dst_atom = state.deref(data.args_atoms[0], len(src_str) // 8)
             data.depends(dst_atom, src_atom, value=src_str)
+
         data.depends(data.ret_atoms, data.args_atoms[0], value=state.get_values(data.args_atoms[0]))
 
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_strdup(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
-        src_atom = state.deref(data.args_atoms[1], DerefSize.NULL_TERMINATE)
-        src_str = state.get_values(src_atom)
-        malloc_size = len(src_str) // 8 if src_str is not None else 1
-        heap_ptr = state.heap_allocator.allocate(malloc_size)
-        dst_atom = state.deref(heap_ptr, malloc_size)
-        data.depends(dst_atom, src_atom, value=src_str)
+        src_atom = state.deref(data.args_atoms[0], DerefSize.NULL_TERMINATE)
+        if src_atom is not None:
+            src_str = state.get_values(src_atom)
+            malloc_size = len(src_str) // 8 if src_str is not None else 1
+            heap_ptr = state.heap_allocator.allocate(malloc_size)
+            dst_atom = state.deref(heap_ptr, malloc_size)
+            data.depends(dst_atom, src_atom, value=src_str)
         data.depends(data.ret_atoms, data.args_atoms[0], value=state.get_values(data.args_atoms[0]))
 
     @FunctionCallDataUnwrapped.decorate
@@ -70,15 +119,22 @@ class LibcStringHandlers(FunctionHandler):
         if size is not None:
             src_atom = state.deref(data.args_atoms[1], size)
             dst_atom = state.deref(data.args_atoms[0], size)
-            data.depends(dst_atom, src_atom, value=state.get_values(src_atom))
+            if src_atom is not None:
+                data.depends(dst_atom, src_atom, value=state.get_values(src_atom))
         data.depends(data.ret_atoms, data.args_atoms[0], value=state.get_values(data.args_atoms[0]))
 
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_memset(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         size = state.get_concrete_value(data.args_atoms[2])
+        c = state.get_concrete_value(data.args_atoms[1])
         if size is not None:
             dst_atom = state.deref(data.args_atoms[0], size)
-            data.depends(dst_atom, data.args_atoms[1])
+            if c is not None:
+                value = MultiValues(claripy.BVV(chr(c) * size, size * 8))
+                data.depends(dst_atom, data.args_atoms[1], value=value)
+            else:
+                data.depends(dst_atom, data.args_atoms[1], value=state.get_values(data.args_atoms[1]))
+
         data.depends(data.ret_atoms, data.args_atoms[0], value=state.get_values(data.args_atoms[0]))
 
     @FunctionCallDataUnwrapped.decorate

angr/analyses/reaching_definitions/function_handler_library/unistd.py

@@ -1,17 +1,37 @@
 from __future__ import annotations
+import random
 from angr.analyses.reaching_definitions.function_handler import FunctionCallDataUnwrapped, FunctionHandler
 from angr.analyses.reaching_definitions.function_handler_library.stdio import StdinAtom, StdoutAtom
 from angr.analyses.reaching_definitions.rd_state import ReachingDefinitionsState
+from angr.knowledge_plugins.key_definitions.atoms import Atom
 
 # pylint: disable=no-self-use,missing-class-docstring,unused-argument
 
 
+class FDAtom(Atom):
+    def __init__(self, fd: int | None, source: str, size: int = 1):
+        self.source = source
+        self.fd = fd
+        self.nonce = random.randint(0, 999999999999)
+        super().__init__(size)
+
+    def _identity(self):
+        if self.fd is not None:
+            return (self.fd,)
+        return (self.nonce,)
+
+
 class LibcUnistdHandlers(FunctionHandler):
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_read(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         size = state.get_concrete_value(data.args_atoms[2]) or 1
         dst_atom = state.deref(data.args_atoms[1], size)
-        data.depends(dst_atom, StdinAtom(data.function.name, size))
+        real_fd = state.get_concrete_value(data.args_atoms[0])
+
+        fd_atom = StdinAtom(data.function.name, size) if real_fd == 0 else FDAtom(real_fd, data.function.name, size)
+        buf_data = state.top(size * 8) if size is not None else state.top(state.arch.bits)
+
+        data.depends(dst_atom, fd_atom, value=buf_data)
 
     handle_impl_recv = handle_impl_recvfrom = handle_impl_read
 

angr/analyses/reaching_definitions/rd_state.py

@@ -215,14 +215,14 @@ class ReachingDefinitionsState:
     def tmp_uses(self):
         return self.live_definitions.tmp_uses
 
-    @property
-    def register_uses(self):
-        return self.live_definitions.register_uses
-
     @property
     def registers(self) -> MultiValuedMemory:
         return self.live_definitions.registers
 
+    @property
+    def register_uses(self):
+        return self.live_definitions.register_uses
+
     @property
     def stack(self) -> MultiValuedMemory:
         return self.live_definitions.stack
@@ -239,13 +239,17 @@ class ReachingDefinitionsState:
     def heap_uses(self):
         return self.live_definitions.heap_uses
 
+    @property
+    def memory(self) -> MultiValuedMemory:
+        return self.live_definitions.memory
+
     @property
     def memory_uses(self):
         return self.live_definitions.memory_uses
 
     @property
-    def memory(self) -> MultiValuedMemory:
-        return self.live_definitions.memory
+    def others(self) -> dict[Atom, MultiValues]:
+        return self.live_definitions.others
 
     @property
     def uses_by_codeloc(self):
@@ -493,7 +497,7 @@ class ReachingDefinitionsState:
             self.live_definitions.add_memory_use_by_def(definition, self.codeloc, expr=expr)
 
     def get_definitions(
-        self, atom: Atom | Definition[Atom] | Iterable[Atom] | Iterable[Definition[Atom]]
+        self, atom: Atom | Definition[Atom] | Iterable[Atom] | Iterable[Definition[Atom]] | MultiValues
     ) -> set[Definition[Atom]]:
         return self.live_definitions.get_definitions(atom)
 

angr/analyses/s_liveness.py

@@ -2,9 +2,10 @@ from __future__ import annotations
 
 import networkx
 from ailment.expression import VirtualVariable
-from ailment.statement import Assignment, Call
+from ailment.statement import Assignment, Call, ConditionalJump
 
 from angr.analyses import Analysis, register_analysis
+from angr.utils.ail import is_head_controlled_loop_block, is_phi_assignment
 from angr.utils.ssa import VVarUsesCollector, phi_assignment_get_src
 
 
@@ -69,8 +70,14 @@ class SLivenessAnalysis(Analysis):
             block_key = block.addr, block.idx
             changed = False
 
+            head_controlled_loop = is_head_controlled_loop_block(block)
+
             live = set()
             for succ in graph.successors(block):
+                if head_controlled_loop and (block.addr, block.idx) == (succ.addr, succ.idx):
+                    # this is a head-controlled loop block; we ignore the self-loop edge because all variables defined
+                    # in the block after the conditional jump will be dead after leaving the current block
+                    continue
                 edge = (block.addr, block.idx), (succ.addr, succ.idx)
                 if edge in live_on_edges:
                     live |= live_on_edges[edge]
@@ -81,8 +88,18 @@ class SLivenessAnalysis(Analysis):
                 changed = True
                 live_outs[block_key] = live.copy()
 
+            if head_controlled_loop:
+                # this is a head-controlled loop block; we start scanning from the first condition jump backwards
+                condjump_idx = next(
+                    iter(i for i, stmt in enumerate(block.statements) if isinstance(stmt, ConditionalJump)), None
+                )
+                assert condjump_idx is not None
+                stmts = block.statements[: condjump_idx + 1]
+            else:
+                stmts = block.statements
+
             live_in_by_pred = {}
-            for stmt in reversed(block.statements):
+            for stmt in reversed(stmts):
                 # handle assignments: a defined vvar is not live before the assignment
                 if isinstance(stmt, Assignment) and isinstance(stmt.dst, VirtualVariable):
                     live.discard(stmt.dst.varid)
@@ -92,6 +109,10 @@ class SLivenessAnalysis(Analysis):
                 phi_expr = phi_assignment_get_src(stmt)
                 if phi_expr is not None:
                     for src, vvar in phi_expr.src_and_vvars:
+                        if head_controlled_loop and src == (block.addr, block.idx):
+                            # this is a head-controlled loop block; we ignore the self-loop edge
+                            continue
+
                         if src not in live_in_by_pred:
                             live_in_by_pred[src] = live.copy()
                         if vvar is not None:
@@ -99,9 +120,15 @@ class SLivenessAnalysis(Analysis):
                         live_in_by_pred[src].discard(stmt.dst.varid)
 
                 # handle the statement: add used vvars to the live set
-                vvar_use_collector = VVarUsesCollector()
-                vvar_use_collector.walk_statement(stmt)
-                live |= vvar_use_collector.vvars
+                if head_controlled_loop and is_phi_assignment(stmt):
+                    for src, vvar in stmt.src.src_and_vvars:
+                        # this is a head-controlled loop block; we ignore the self-loop edge
+                        if src != (block.addr, block.idx) and vvar is not None:
+                            live |= {vvar.varid}
+                else:
+                    vvar_use_collector = VVarUsesCollector()
+                    vvar_use_collector.walk_statement(stmt)
+                    live |= vvar_use_collector.vvars
 
             if live_ins[block_key] != live:
                 live_ins[block_key] = live
@@ -135,7 +162,18 @@ class SLivenessAnalysis(Analysis):
 
         for block in self.func_graph.nodes():
             live = self.model.live_outs[(block.addr, block.idx)].copy()
-            for stmt in reversed(block.statements):
+
+            if is_head_controlled_loop_block(block):
+                # this is a head-controlled loop block; we start scanning from the first condition jump backwards
+                condjump_idx = next(
+                    iter(i for i, stmt in enumerate(block.statements) if isinstance(stmt, ConditionalJump)), None
+                )
+                assert condjump_idx is not None
+                stmts = block.statements[: condjump_idx + 1]
+            else:
+                stmts = block.statements
+
+            for stmt in reversed(stmts):
                 if isinstance(stmt, Assignment) and isinstance(stmt.dst, VirtualVariable):
                     def_vvar = stmt.dst.varid
                 elif isinstance(stmt, Call) and isinstance(stmt.ret_expr, VirtualVariable):

angr/analyses/s_reaching_definitions/s_rda_model.py

@@ -91,13 +91,15 @@ class SRDAModel:
                     )
         return defs
 
-    def get_vvar_uses(self, obj: atoms.VirtualVariable) -> set[CodeLocation]:
+    def get_vvar_uses(self, obj: VirtualVariable | atoms.VirtualVariable) -> set[CodeLocation]:
         the_vvar = self.varid_to_vvar.get(obj.varid, None)
         if the_vvar is not None:
             return {loc for _, loc in self.all_vvar_uses[the_vvar]}
         return set()
 
-    def get_vvar_uses_with_expr(self, obj: atoms.VirtualVariable) -> set[tuple[CodeLocation, VirtualVariable]]:
+    def get_vvar_uses_with_expr(
+        self, obj: VirtualVariable | atoms.VirtualVariable
+    ) -> set[tuple[CodeLocation, VirtualVariable]]:
         the_vvar = self.varid_to_vvar.get(obj.varid, None)
         if the_vvar is not None:
             return {(loc, expr) for expr, loc in self.all_vvar_uses[the_vvar]}

angr/analyses/typehoon/simple_solver.py

@@ -185,7 +185,9 @@ class Sketch:
             return self.node_mapping[typevar]
         node: SketchNodeBase | None = None
         if isinstance(typevar, DerivedTypeVariable):
-            node = self.node_mapping[SimpleSolver._to_typevar_or_typeconst(typevar.type_var)]
+            t = SimpleSolver._to_typevar_or_typeconst(typevar.type_var)
+            assert isinstance(t, TypeVariable)
+            node = self.node_mapping[t]
             for label in typevar.labels:
                 succs = []
                 for _, dst, data in self.graph.out_edges(node, data=True):
@@ -210,11 +212,26 @@ class Sketch:
         # sub <: super
         if not isinstance(constraint, Subtype):
             return
-        subtype = self.flatten_typevar(constraint.sub_type)
-        supertype = self.flatten_typevar(constraint.super_type)
+        subtype, _ = self.flatten_typevar(constraint.sub_type)
+        supertype, try_maxsize = self.flatten_typevar(constraint.super_type)
+
+        if (
+            try_maxsize
+            and isinstance(subtype, TypeVariable)
+            and subtype in self.solver.stackvar_max_sizes
+            and isinstance(supertype, TypeConstant)
+            and not isinstance(supertype, BottomType)
+        ):
+            basetype = supertype
+            assert basetype.size is not None
+            max_size = self.solver.stackvar_max_sizes.get(subtype, None)
+            if max_size not in {0, None} and max_size // basetype.size > 0:  # type: ignore
+                supertype = Array(element=basetype, count=max_size // basetype.size)  # type: ignore
+
         if SimpleSolver._typevar_inside_set(subtype, PRIMITIVE_TYPES) and not SimpleSolver._typevar_inside_set(
             supertype, PRIMITIVE_TYPES
         ):
+            assert isinstance(supertype, (TypeVariable, DerivedTypeVariable))
             super_node = self.lookup(supertype)
             assert super_node is None or isinstance(super_node, SketchNode)
             if super_node is not None:
@@ -222,6 +239,7 @@ class Sketch:
         elif SimpleSolver._typevar_inside_set(supertype, PRIMITIVE_TYPES) and not SimpleSolver._typevar_inside_set(
             subtype, PRIMITIVE_TYPES
         ):
+            assert isinstance(subtype, (TypeVariable, DerivedTypeVariable))
             sub_node = self.lookup(subtype)
             assert sub_node is None or isinstance(sub_node, SketchNode)
             # assert sub_node is not None
@@ -231,7 +249,7 @@ class Sketch:
     @staticmethod
     def flatten_typevar(
         derived_typevar: TypeVariable | TypeConstant | DerivedTypeVariable,
-    ) -> DerivedTypeVariable | TypeVariable | TypeConstant:
+    ) -> tuple[DerivedTypeVariable | TypeVariable | TypeConstant, bool]:
         # pylint:disable=too-many-boolean-expressions
         if (
             isinstance(derived_typevar, DerivedTypeVariable)
@@ -243,8 +261,10 @@ class Sketch:
             and derived_typevar.labels[1].offset == 0
             and derived_typevar.labels[1].bits == MAX_POINTSTO_BITS
         ):
-            return derived_typevar.type_var.basetype
-        return derived_typevar
+            bt = derived_typevar.type_var.basetype
+            assert bt is not None
+            return bt, True
+        return derived_typevar, False
 
 
 #
@@ -313,6 +333,11 @@ class ConstraintGraphNode:
             else:
                 prefix = DerivedTypeVariable(self.typevar.type_var, None, labels=self.typevar.labels[:-1])
             variance = Variance.COVARIANT if self.variance == last_label.variance else Variance.CONTRAVARIANT
+            if not isinstance(prefix, (TypeVariable, DerivedTypeVariable)):
+                # we may see incorrectly generated type constraints that attempt to load from an int:
+                #   int64.load
+                # we don't want to entertain such constraints
+                return None
             return (
                 ConstraintGraphNode(prefix, variance, self.tag, FORGOTTEN.PRE_FORGOTTEN),
                 self.typevar.labels[-1],
@@ -330,6 +355,7 @@ class ConstraintGraphNode:
             raise TypeError(f"Unsupported type {type(self.typevar)}")
         variance = Variance.COVARIANT if self.variance == label.variance else Variance.CONTRAVARIANT
         var = typevar if not labels else DerivedTypeVariable(typevar, None, labels=labels)
+        assert isinstance(var, (TypeVariable, DerivedTypeVariable))
         return ConstraintGraphNode(var, variance, self.tag, FORGOTTEN.PRE_FORGOTTEN)
 
     def inverse(self) -> ConstraintGraphNode:
@@ -366,13 +392,14 @@ class SimpleSolver:
     improvements.
     """
 
-    def __init__(self, bits: int, constraints, typevars):
+    def __init__(self, bits: int, constraints, typevars, stackvar_max_sizes: dict[TypeVariable, int] | None = None):
         if bits not in (32, 64):
             raise ValueError(f"Pointer size {bits} is not supported. Expect 32 or 64.")
 
         self.bits = bits
         self._constraints: dict[TypeVariable, set[TypeConstraint]] = constraints
         self._typevars: set[TypeVariable] = typevars
+        self.stackvar_max_sizes = stackvar_max_sizes if stackvar_max_sizes is not None else {}
         self._base_lattice = BASE_LATTICES[bits]
         self._base_lattice_inverted = networkx.DiGraph()
         for src, dst in self._base_lattice.edges:
@@ -1289,7 +1316,7 @@ class SimpleSolver:
             for _, succ, data in out_edges:
                 if isinstance(succ, RecursiveRefNode):
                     ref = succ
-                    succ: SketchNode | None = sketch.lookup(succ.target)
+                    succ: SketchNode | None = sketch.lookup(succ.target)  # type: ignore
                     if succ is None:
                         # failed to resolve...
                         _l.warning(

angr/analyses/typehoon/typehoon.py

@@ -37,6 +37,7 @@ class Typehoon(Analysis):
         ground_truth=None,
         var_mapping: dict[SimVariable, set[TypeVariable]] | None = None,
         must_struct: set[TypeVariable] | None = None,
+        stackvar_max_sizes: dict[TypeVariable, int] | None = None,
     ):
         """
 
@@ -52,6 +53,7 @@ class Typehoon(Analysis):
         self._ground_truth: dict[TypeVariable, SimType] | None = ground_truth
         self._var_mapping = var_mapping
         self._must_struct = must_struct
+        self._stackvar_max_sizes = stackvar_max_sizes if stackvar_max_sizes is not None else {}
 
         self.bits = self.project.arch.bits
         self.solution = None
@@ -163,7 +165,7 @@ class Typehoon(Analysis):
                         typevars.add(constraint.sub_type)
                     if isinstance(constraint.super_type, TypeVariable):
                         typevars.add(constraint.super_type)
-        solver = SimpleSolver(self.bits, self._constraints, typevars)
+        solver = SimpleSolver(self.bits, self._constraints, typevars, stackvar_max_sizes=self._stackvar_max_sizes)
         self.solution = solver.solution
 
     def _specialize(self):

angr/calling_conventions.py

@@ -1433,7 +1433,7 @@ class SimCCX86LinuxSyscall(SimCCSyscall):
 
 class SimCCX86WindowsSyscall(SimCCSyscall):
     # TODO: Make sure the information is correct
-    ARG_REGS = []
+    ARG_REGS = ["ecx"]
     FP_ARG_REGS = []
     RETURN_VAL = SimRegArg("eax", 4)
     RETURN_ADDR = SimRegArg("ip_at_syscall", 4)
@@ -1673,7 +1673,7 @@ class SimCCAMD64LinuxSyscall(SimCCSyscall):
 
 class SimCCAMD64WindowsSyscall(SimCCSyscall):
     # TODO: Make sure the information is correct
-    ARG_REGS = []
+    ARG_REGS = ["rcx"]
     FP_ARG_REGS = []
     RETURN_VAL = SimRegArg("rax", 8)
     RETURN_ADDR = SimRegArg("ip_at_syscall", 8)

angr/knowledge_plugins/functions/function.py

@@ -9,7 +9,7 @@ import contextlib
 from typing import overload
 
 import networkx
-from itanium_demangler import parse
+import pydemumble
 
 from cle.backends.symbol import Symbol
 from archinfo.arch_arm import get_real_address_if_arm
@@ -202,7 +202,8 @@ class Function(Serializable):
         if is_plt is not None:
             self.is_plt = is_plt
         else:
-            # Whether this function is a PLT entry or not is fully relying on the PLT detection in CLE
+            # Whether this function is a PLT entry or not is primarily relying on the PLT detection in CLE; it may also
+            # be updated (to True) during CFG recovery.
             if self.project is None:
                 raise ValueError(
                     "'is_plt' must be specified if you do not specify a function manager for this new function."
@@ -1568,14 +1569,8 @@ class Function(Serializable):
 
     @property
     def demangled_name(self):
-        if self.name[0:2] == "_Z":
-            try:
-                ast = parse(self.name)
-            except (NotImplementedError, KeyError):  # itanium demangler is not the most robust package in the world
-                return self.name
-            if ast:
-                return ast.__str__()
-        return self.name
+        ast = pydemumble.demangle(self.name)
+        return ast if ast else self.name
 
     def get_unambiguous_name(self, display_name: str | None = None) -> str:
         """